b"                                           SOCIAL SECURITY\n\nNovember 10, 2004\n\nTo: The Honorable Jo Anne B. Barnhart\n    Commissioner\n\nThis letter transmits the PricewaterhouseCoopers LLP (PwC) Report of Independent Auditors on the audit of the\nSocial Security Administration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2004 and 2003 financial statements. PwC's Report\nincludes the firm\xe2\x80\x99s Opinion on the Financial Statements, Report on Management's Assertion About the Effectiveness\nof Internal Control, and Report on Compliance with Laws and Regulations.\n\nObjective of a Financial Statement Audit\nThe objective of a financial statement audit is to determine whether the financial statements are free of material\nmisstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the\nfinancial statements. An audit also includes assessing the accounting principles used and significant estimates made\nby management as well as evaluating the overall financial statement presentation.\n\nPwC\xe2\x80\x99s examination was made in accordance with generally accepted auditing standards, Government Auditing\nStandards issued by the Comptroller General of the United States, and Office of Management and Budget (OMB)\nBulletin 01-02, Audit Requirements for Federal Financial Statements. The audit included obtaining an\nunderstanding of the internal control over financial reporting and testing and evaluating the design and operating\neffectiveness of the internal control. Because of inherent limitations in any internal control, there is a risk that errors\nor fraud may occur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s programs and operations,\nespecially within the Supplemental Security Income (SSI) program. In our opinion, people outside the organization\nperpetrate most of the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\nThe Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires SSA's Inspector General (IG)\nor an independent external auditor, as determined by the IG, to audit SSA's financial statements in accordance with\napplicable standards. Under a contract monitored by the Office of the Inspector General (OIG), PwC, an\nindependent certified public accounting firm, audited SSA's FY 2004 financial statements. PwC also audited the\nFY 2003 financial statements, presented in SSA's Performance and Accountability Report for FY 2004 for\ncomparative purposes. PwC issued an unqualified opinion on SSA's FY 2004 and 2003 financial statements. PwC\nalso reported that SSA's assertion that its systems of accounting and internal control are in compliance with the\ninternal control objective in OMB Bulletin 01-02 is fairly stated in all material respects. However, the audit\nidentified one reportable condition in SSA's internal control:\n\n\n\n\n                           SOCIAL SECURITY ADMINISTRATION          BALTIMORE MD 21235-00001\n\x0cPage 2 \xe2\x80\x93 The Honorable Jo Anne B. Barnhart\n\nSSA Needs to Further Strengthen Controls to Protect Its Information\n\nThis same condition was found in prior year audits. It is PwC\xe2\x80\x99s opinion that SSA has made notable progress in\naddressing the information protection issues raised in prior years. Despite these accomplishments, SSA\xe2\x80\x99s systems\nenvironment remains threatened by security and integrity exposures to SSA operations.\n\n\nOIG Evaluation of PwC Audit Performance\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit work\nperformed, we monitored PwC's audit of SSA's FY 2004 financial statements by:\n\n         \xe2\x80\xa2   Reviewing PwC's approach and planning of the audit;\n\n         \xe2\x80\xa2   Evaluating the qualifications and independence of its auditors;\n\n         \xe2\x80\xa2   Monitoring the progress of the audit at key points;\n\n         \xe2\x80\xa2   Examining its workpapers related to planning the audit and assessing SSA's internal control;\n\n         \xe2\x80\xa2   Reviewing PwC's audit report to ensure compliance with Government Auditing Standards and OMB\n             Bulletin 01-02;\n\n         \xe2\x80\xa2   Coordinating the issuance of the audit report; and\n\n         \xe2\x80\xa2   Performing other procedures that we deemed necessary.\n\nPwC is responsible for the attached auditor\xe2\x80\x99s report, dated November 8, 2004, and the opinions and conclusions\nexpressed therein. The OIG is responsible for technical and administrative oversight regarding PwC\xe2\x80\x99s performance\nunder the terms of the contract. Our review, as differentiated from an audit in accordance with applicable auditing\nstandards, was not intended to enable us to express, and accordingly we do not express, an opinion on SSA\xe2\x80\x99s\nfinancial statements, management\xe2\x80\x99s assertions about the effectiveness of its internal control over financial reporting,\nor SSA\xe2\x80\x99s compliance with certain laws and regulations. However, our monitoring review, as qualified above,\ndisclosed no instances where PwC did not comply with applicable auditing standards.\n\n\n\n\n                                                       S\n                                                       Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                       Acting Inspector General\n\x0c                                                                                                  PricewaterhouseCoopers LLP\n                                                                                                  Suite 800W\n                                                                                                  1301 K St., N.W.\n                                                                                                  Washington DC 20005-3333\n                        REPORT OF INDEPENDENT AUDITORS                                            Telephone (202) 414 1000\n                                                                                                  Facsimile (202) 414 1301\n                                                                                                  www.pwc.com\n\nTo the Honorable Jo Anne B. Barnhart\nCommissioner\nSocial Security Administration\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n\xe2\x80\xa2   The consolidated balance sheets of SSA as of September 30, 2004 and 2003, and the related consolidated\n    statements of net cost, of changes in net position, and of financing and the combined statements of budgetary\n    resources for the years then ended are presented fairly, in all material respects, in conformity with accounting\n    principles generally accepted in the United States of America;\n\xe2\x80\xa2   Management fairly stated that SSA\xe2\x80\x99s systems of accounting and internal control in place as of September 30,\n    2004, are in compliance with the internal control objectives in the Office of Management and Budget (OMB)\n    Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, requiring that (1) transactions be\n    properly recorded, processed and summarized to permit the preparation of the consolidated and combined\n    financial statements in accordance with accounting principles generally accepted in the United States of\n    America, and to safeguard assets against loss from unauthorized acquisition, use or disposition; (2) transactions\n    are executed in accordance with laws governing the use of budget authority, other laws and regulations that\n    could have a direct and material effect on the consolidated or combined financial statements or Required\n    Supplemental Stewardship Information (RSSI) and any other laws, regulations and government wide policies\n    identified in Appendix C of OMB Bulletin No. 01-02;\n\xe2\x80\xa2   No reportable instances of noncompliance with the laws, regulations or other matter tested.\n\nThe following sections outline each of these conclusions in more detail.\n\nOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30, 2004 and 2003, and the\nrelated consolidated statements of net cost, of changes in net position, and of financing and the combined statements\nof budgetary resources for the years then ended. These financial statements are the responsibility of SSA\xe2\x80\x99s\nmanagement. Our responsibility is to express an opinion on these financial statements based on our audits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States of America;\nthe standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller\nGeneral of the United States; and OMB Bulletin No. 01-02. Those standards require that we plan and perform the\naudit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An\naudit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial\nstatements. An audit also includes assessing the accounting principles used and significant estimates made by\nmanagement, as well as evaluating the overall financial statement presentation. We believe that our audits provide a\nreasonable basis for our opinion.\n\nIn our opinion, the consolidated and combined financial statements referred to above and appearing on pages 146\nthrough 167 of this performance and accountability report, present fairly, in all material respects, the financial\nposition of SSA at September 30, 2004 and 2003, and its net cost of operations, changes in net position, budgetary\nresources and financing for the years then ended in conformity with accounting principles generally accepted in the\nUnited States of America.\n\x0cREPORT ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE EFFECTIVENESS OF INTERNAL\nCONTROL\n\nWe have examined management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in compliance\nwith the internal control objectives in OMB Bulletin No. 01-02, requiring that (1) transactions be properly recorded,\nprocessed and summarized to permit the preparation of the consolidated and combined financial statements in\naccordance with accounting principles generally accepted in the United States of America, and to safeguard assets\nagainst loss from unauthorized acquisition, use or disposition; and (2) transactions are executed in accordance with\nlaws governing the use of budget authority, other laws and regulations that could have a direct and material effect on\nthe consolidated or combined financial statements or RSSI and any other laws, regulations and government wide\npolicies identified in Appendix C of OMB Bulletin No. 01-02 as of September 30, 2004. We did not test all internal\ncontrols relevant to the operating objectives broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of\n1982. SSA\xe2\x80\x99s management is responsible for maintaining effective internal controls. Our responsibility is to express\nan opinion on management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the American Institute of\nCertified Public Accountants (AICPA), the standards applicable to financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States, and OMB Bulletin No. 01-02 and,\naccordingly, included obtaining an understanding of the internal control, testing and evaluating the design and\noperating effectiveness of internal control, and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our examination provides a reasonable basis for our opinion.\n\nBecause of inherent limitations in any internal control, misstatements due to error or fraud may occur and not be\ndetected. Also, projections of any evaluation of internal control to future periods are subject to the risk that the\ninternal control may become inadequate because of changes in conditions, or that the degree of compliance with the\npolicies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in compliance\nwith the internal control objectives in OMB Bulletin No. 01-02, requiring that (1) transactions be properly recorded,\nprocessed, and summarized to permit the preparation of the consolidated and combined financial statements in\naccordance with accounting principles generally accepted in the United States of America, and to safeguard assets\nagainst loss from unauthorized acquisition, use or disposition; and (2) transactions are executed in accordance with\nlaws governing the use of budget authority, other laws and regulations that could have a direct and material effect on\nthe consolidated or combined financial statements or RSSI and any other laws, regulations and government wide\npolicies identified in Appendix C of OMB Bulletin No. 01-02, is fairly stated, in all material respects, as of\nSeptember 30, 2004.\n\nHowever, we noted certain matters involving the internal control and its operation, set forth below, that we consider\nto be a reportable condition under standards established by the AICPA and by OMB Bulletin No. 01-02. Reportable\nconditions are matters coming to our attention, that in our judgment, should be communicated because they\nrepresent significant deficiencies in the design or operation of the internal control that could adversely affect SSA\xe2\x80\x99s\nability to meet the internal control objectives in OMB Bulletin No. 01-02 previously noted. Material weaknesses are\nreportable conditions in which the design or operation of one or more of the internal control components does not\nreduce to a relatively low level the risk that errors, fraud or noncompliance in amounts that would be material in\nrelation to the consolidated or combined financial statements or RSSI being audited, or material to a performance\nmeasure or aggregation of related performance measures, may occur and not be detected within a timely period by\nemployees in the normal course of performing their assigned functions. We believe that the reportable condition that\nfollows is not a material weakness as defined by the AICPA and OMB Bulletin No. 01-02.\n\nSSA Needs to Further Strengthen Controls to Protect Its Information:\n\nDuring FY 2004, SSA management corrected many of the issues previously noted regarding physical security at the\nDisability Determination Service (DDS) sites and enhanced continuity of operations activities, including testing of\n\x0cnewly developed continuity procedures for Regional Office (RO), Program Service Center (PSC) and DDS sites.\nAdditionally, significant progress was made on the Standardized Security Profile Project (SSPP). During the year:\n\n\xe2\x80\xa2   Access assignments of operations personnel to access application transactions for all major SSA systems\n    identified and defined by SSA management as critical to operations, were identified, reviewed, adjusted and\n    confirmed;\n\xe2\x80\xa2   Datasets were identified for major systems defined by SSA management as critical to operations;\n\xe2\x80\xa2   New profiles and procedures were created to control access to the datasets within the critical applications\n    identified and defined by SSA management;\n\xe2\x80\xa2   Many of the new profiles for granting update access to the datasets of the critical applications were established\n    and vetted;\n\xe2\x80\xa2   New procedures were implemented to ensure new datasets were named in accordance with naming standards\n    and that these datasets included descriptions to allow users to readily understand their contents; and,\n\xe2\x80\xa2   Procedures and plans were honed to continue the process to ensure controlled access to system datasets,\n    including continuance of the SSPP.\n\nAlthough significant progress has been made regarding logical security controls, we note the need for continued\nprogress regarding the certification of security access assignments to system datasets within critical applications.\nTesting disclosed that systems employees still have direct update access to many of the datasets within the critical\napplications without consistent auditing. Further, at the time of our audit too many employees had been granted\nupdate access to allow reasonable review of their activities to be considered an effective control.\n\nWe also noted that security configurations had not been developed for all of the servers in use in SSA\xe2\x80\x99s distributed\nprocessing environment. Additionally, some server security configurations required update and enhancement.\nDistributed server security configurations represent a key control in ensuring security of the SSA network.\n\nSpecific disclosure of detailed information about these exposures might further compromise controls and are\ntherefore not provided within this report. Rather, the specific details of weaknesses noted are presented in a\nseparate, limited-distribution management letter.\n\nThe need for a strong security program to address threats to the security and integrity of SSA operations grows and\ntransforms as the Agency continues to progress with plans to increase dependence on the Internet and Web-based\napplications to serve the American public. Clear, continued and measurable progress has been made towards the\nestablishment of a strong overall security program. However, to more fully protect SSA from risks associated with\nthe loss of data, loss of other resources or compromised privacy of information associated with SSA\xe2\x80\x99s enumeration,\nearnings, retirement and disability processes and programs, SSA must further strengthen its security program.\nSpecifically, further progress is needed in the area of access assignments to application systems data and programs\nby systems personnel, including the continual review of systems access, and in the assurance that security\nconfiguration standards for distributed servers are established, kept current, and enforced.\n\nRecommendations\n\nWe recommend that SSA continue its efforts to enhance information protection by continuing to implement the\nremaining portions of the SSPP and through the establishment, refinement and enforcement of procedures to ensure\nstandard security configurations for distributed servers. More specific recommendations focused upon the\nindividual exposures we identified are included in a separate, limited-distribution management letter.\n\nWe noted other matters involving the internal control and its operation that we will communicate in a separate letter.\n\nINTERNAL CONTROL RELATED TO KEY PERFORMANCE INDICATORS AND RSSI\n\nWith respect to internal control relevant to data that support reported performance measures on pages 42 to 65 of\nthis performance and accountability report, we obtained an understanding of the design of significant internal\ncontrol relating to the existence and completeness assertions, as required by OMB Bulletin No. 01-02. Our\n\x0cprocedures were not designed to provide assurance on the internal control over reported performance measures and,\naccordingly, we do not express an opinion on such control.\n\nIn addition, we considered SSA\xe2\x80\x99s internal control over RSSI by obtaining an understanding of SSA\xe2\x80\x99s internal\ncontrol, determined whether these internal controls had been place in operation, assessed control risk, and performed\ntests of controls as required by OMB Bulletin No. 01-02 and not to provide assurance on these controls.\nAccordingly, we do not provide an opinion on such controls.\n\nREPORT ON COMPLIANCE AND OTHER MATTERS\n\nThe management of SSA is responsible for compliance with laws and regulations. As part of obtaining reasonable\nassurance about whether the financial statements are free of material misstatement, we performed tests of\ncompliance with certain provisions of laws and regulations, noncompliance with which could have a direct and\nmaterial effect on the determination of financial statement amounts and certain other laws and regulations specified\nin OMB Bulletin No. 01-02, including the requirements referred to in the Federal Financial Management\nImprovement Act (FFMIA) of 1996. We limited our tests of compliance to these provisions, and we did not test\ncompliance with all laws and regulations applicable to SSA. However, providing an opinion on compliance with\nthose provisions was not an objective of our audit and, accordingly, we do not express such an opinion.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with laws and regulations discussed\nin the preceding paragraph exclusive of FFMIA or other matters that are required to be reported under Government\nAuditing Standards or OMB Bulletin No. 01-02.\n\nUnder FFMIA, we are required to report whether SSA\xe2\x80\x99s financial management systems substantially comply with\nthe Federal financial management systems requirements, applicable Federal accounting standards, and the United\nStates Government Standard General Ledger at the transaction level. To meet this requirement, we performed tests\nof compliance with FFMIA section 803(a) requirements.\n\nThe results of our tests disclosed no instances in which SSA\xe2\x80\x99s financial management systems did not substantially\ncomply with the three requirements discussed in the preceding paragraph.\n\x0cOTHER INFORMATION\n\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 1 to 2 and 7 to 80, Required\nSupplementary Information (RSI) included on pages 172 to 173, and Required Supplementary Stewardship\nInformation (RSSI) included on pages 174 to 192 of this performance and accountability report, are not a required\npart of the financial statements but are supplementary information required by the Federal Accounting Standards\nAdvisory Board and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have applied\ncertain limited procedures, which consisted principally of inquiries of management regarding the methods of\nmeasurement and presentation of the MD&A, RSI and RSSI. However, we did not audit the information and\nexpress no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The Schedule of Budgetary Resources, included on page 172 of this\nperformance and accountability report, is not a required part of the consolidated or combined financial statements\nbut is supplementary information required by OMB Bulletin No. 01-09, Form and Content of Agency Financial\nStatements. This information and the consolidating and combining information included on pages 168 to 171 of\nthis performance and accountability report are presented for purposes of additional analysis and are not a required\npart of the consolidated or combined financial statements. Such information has been subjected to the auditing\nprocedures applied in the audit of the consolidated and combined financial statements and, in our opinion, are fairly\nstated in all material respects in relation to the consolidated and combined financial statements taken as a whole.\n\nThe other accompanying information included on pages 3 to 6, 81 to 145, 193 to 194 and 200 to the end of this\nperformance and accountability report, are presented for purposes of additional analysis and are not a required part\nof the financial statements. Such information has not been subjected to the auditing procedures applied in the audit\nof the consolidated and combined financial statements and, accordingly, we express no opinion on it.\n\n                                                      *****\n\nThis report is intended solely for the information and use of management and the Inspector General of SSA, OMB,\nthe Government Accountability Office and Congress and is not intended to be and should not be used by anyone\nother than these specified parties.\n\n\n\n\nNovember 8, 2004\n\x0c"